Motivation

However, a network authentication protocol appears rather useless
if it can only be applied local users.

The s+c Authentication Package SCAP is a security support provider
for Microsoft Windows® XP workstations. SCAP provides LDAP
support to windows XP by creating the necessary local user accounts
on the fly. The actual authentication task is passed through to
Microsoft's Kerberos SSP.

Assumptions

All examples assume workstations and servers in the example.com
DNS domain name. The Kerberos realm is named EXAMPLE.COM,
the LDAP base DN is dc=example,dc=com.

The windows XP client is named xp.exmaple.com, the
kdc's are named kdc1.example.com through
kdc3.example.com, the kpasswd service runs on
kdc1.example.com. The ldap servers are ldap1.example.com
through ldap3.example.com.

The user is called johndoe, the user's principal
johndoe@EXAMPLE.COM and is assumed to already exist.

Prerequisites

You must install and configure Microsoft's Kerberos 5
Interoperability Software. To do so, install the support
tools from any Windows XP installation CD, choose a complete
install.